Unpicking the cyber-crime economy

Turning virtual cash into real money without being caught is a big problem for successful cyber-criminals.

They often have to get creative when “cashing out” or laundering the money they have stolen, according to a security expert.

Ziv Mador, head of security research at Trustwave SpiderLabs. told the BBC that credit card thieves, for example, have limited time to profit, because at some point the victim will put a stop on their card.

Tens of thousands of stolen card numbers are traded daily on the underground markets that Mr Zador and his colleagues monitor, with details taken from compromised websites or databases.

“They can try to sell the card, which is not big money because they only get a few dollars for each one,” he said.

Instead, he added, they are more likely to use them to buy more valuable assets like iPhones or Macbooks, which are popular because they tend to hold their value when resold.

“They do not buy 100 or so iPhones at once,” he said. “They use a lot of different cards at different times.”

Mr Mador said the crooks use randomisation tools to thwart anti-fraud systems that would spot if all the purchases, even those made with different cards, are being done on the same computer.

Another “cashing out” technique uses gift cards from big retailers such as Amazon and WalMart.

This technique involves buying the gift card with the stolen credit card and then offering it for sale at a big discount.

For example, a customer may be able to buy a $ 400 (£312) card for half price, although they face the risk of it being cancelled if a retailer notices it was originally bought with a stolen credit card.

Then there are the more creative scams that seek to use Uber and other ride-hailing firms to launder cash.

Mr Mador, and others, have seen adverts seeking drivers who can take part, with Spain and the US both popular locations for the fraud. Other places like Moscow and St Petersburg were “temporarily unavailable”.

“They are looking for Uber drivers for fraudulent payments, people who can register for Uber and do fake rides,” said Mr Mador.

The driver’s account is used to launder the cash generated when stolen credit cards are used to pay for the fictitious journeys and they get a cut of the money as a payment.

It is these markets that form the backbone of the cyber-crime world, said Dr Mike McGuire, a criminologist from the University of Surrey, who has studied this shadowy community.

“We took a holistic look at the criminal economy and then we could see where the flows of money were going,” he told the BBC.

Some was laundered via banks and other well-established routes long used by criminal gangs, who increasingly have been finding ways to use newer technological methods.

Dr McGuire’s research suggests billions in criminal cash passes through underground markets each year. Some of that is just thieves selling to thieves but other methods involve the sale of drugs and other contraband.

Through conversations with convicted crooks and the police who pursue them, Dr McGuire said it was clear that some were involved in the trade for very mundane reasons.

“It’s a very human set of activities that these people are involved in,” he said. “About 15% were just using their revenues to pay their mortgages and their bills.”

Others, those who were making a lot of money, had got involved in “old-fashioned ostentatious spending”, he told the BBC.

“A lot of them are converting their money to assets and investing in them to acquire status.”

Paper trail

This is not straightforward work, he explained, because the crooks worked hard to obscure their ownership of the bogus firms.

But, he said, detailed long-term analysis of the information shared by front companies can help unpick the relationships.

“We will often find the contact details and registration addresses for these facilitators are the same across dozens of applications,” he said. “That’s because it’s very hard to genuinely create that many completely new corporate or individual identities.

“As a result they tend to reuse the same artefacts.”

Industry efforts to get lots of legitimate financial organisations sharing data about the organisations behind payments and purchases were also helping to uncover the front organisations, he added.

“It takes a network to defeat a network.”

That long-term data-driven approach is also helping banks to pick out the low-level recruits some criminals are using as “mules”, said Kedar Samant, co-founder of fraud-spotting firm Simility.

Mules are used by a lot of criminal gangs to get at cash generated by other means – often ransomware attacks or phishing campaigns.

Some gangs approach people who have done manual low-paid work abroad and offer to buy access to the bank account they set up when in that country.

Old school fraud detection systems would struggle to spot cash laundered through this route, because they were very “brittle”, Mr Samant said. They tended to look for anomalous behaviour rather than consider the context around the account, how it is used over time and where cash goes.

That long view was becoming crucial because many criminals were happy to take their time to learn the best ways to defraud a bank by testing it with “short bursts of attacks” that they then pull back from to see if the loss has been noticed.

“Your customers may come and go but fraudsters tend to be very loyal,” Mr Samant said.

“That’s because it takes time to learn a bank’s systems and how they can get away with the crimes.”